Kaspersky accused of having close ties to sauna-loving Russian spies

An extraordinary story appeared on the Bloomberg website at the end of last week, accusing security company Kaspersky Lab of having “close ties to Russian spies”.

Here are some of the allegations that Bloomberg makes in its article:

“while Kaspersky Lab has published a series of reports that examined alleged electronic espionage by the U.S., Israel, and the U.K., the company hasn’t pursued alleged Russian operations with the same vigor.”

Awkwardly, just two days before the Bloomberg article Kaspersky researchers published further details of what they call the “Crouching Yeti” group who have been targeting industrial, manufacturing and pharmaceutical industries with targeted attacks since the end of 2010.

Crouching Yeti, also known by some as Energetic Bear or Dragonfly, have - according to the Kaspersky Lab report - been mostly targeting the United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland, and China.

Notice a country missing from that list of targets? Yes, there’s no Russia listed.

Which might seem odd until you read that, in the opinion of Kaspersky, the authors are likely to be Russian-speaking.

Personally, I have no doubt that security companies (not just Kaspersky) have awkward business decisions to make regarding their publicising of state-sponsored attacks where they might feel pressure from government customers to keep them quiet.

But Bloomberg doesn’t appear to have found evidence of any suspicious cover-up in Kaspersky’s case.

Score: Bloomberg 0 - 1 Kaspersky

Next, allegations that Kaspersky assists the FSB (the modern name for the KGB):

“Some [staff] actively aid criminal investigations by the FSB, the KGB’s successor, using data from some of the 400 million customers who rely on Kaspersky Lab’s software, say six current and former employees who declined to discuss the matter publicly because they feared reprisals.”

You know what, I’d be surprised if a company that counters internet crime doesn’t occasionally work with law enforcement and intelligence agencies tasked with protecting their countries from attack.

So, big deal if Kaspersky sometimes works with the FSB. Just like if FireEye works with the FBI and the CIA. Or Sophos with the NCA and GCHQ.

I would expect all of these companies, as well as their competitors, to believe in protecting their global customer base from threats, wherever they originated around the world, and work when appropriate with law enforcement both at home and abroad to bring criminals to justice.

That isn’t to say that a security vendor should be in the pocket of a particular government, of course, but I see nothing wrong in Kaspersky “actively aiding criminal investigations by the FSB.”

Unless Bloomberg can come up with evidence that Kaspersky’s relationship with the FSB is unhealthy or has compromised its customers, then I’m not sure what there is to worry about.

Score: Bloomberg 0 - 2 Kaspersky

Finally, Bloomberg chooses to share with us details of Eugene Kaspersky’s bathing habits:

“Unless [Eugene] Kaspersky is traveling, he rarely misses a weekly banya (sauna) night with a group of about 5 to 10 that usually includes Russian intelligence officials. Kaspersky says in an interview that the group saunas are purely social: “When I go to banya, they’re friends.””

As far as I know, the sanitary habits of the chief executives of other anti-virus companies have not been scrutinised so closely. But what’s important here is less about whether a man likes to sit in an intensely hot steam room, but the kind of company he keeps - and how that might influence them and their business.

The Bloomberg report suggests that Eugene Kaspersky’s sauna trips might be evidence that the company has too close a relationship with Russian intelligence, but the man himself has robustly denied their purpose is to meet up with intelligence contacts:

“sometimes I do go to the banya (sauna) with my colleagues. It’s not impossible that there might be Russian intelligence officials visiting the same building simultaneously with me, but I don’t know them.”

So, Bloomberg is right that Eugene Kaspersky likes to go to the sauna. But they haven’t provided any evidence that there’s anything suspicious about it. I think that’s a point in Kaspersky’s favour.

Score: Bloomberg 0 - 3 Kaspersky

Kaspersky’s founder is at least prepared to laugh about the allegations, claiming that the company’s next conference for researchers will have the appropriate facilities:

Upcoming @TheSAS2016 will be held in SPA with wide selection of banya, sauna, hamam, thermae & sweat lodge. Then we ride bears to the beach.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Whatever. Ad hominems show one thing and one thing only: a lack of any valid arguments, often because of a (usually complete) lack of understanding/comprehension of the topic (and indeed; what would the media know about computer security, or for that matter, computers? Not much although they certainly don’t mind writing things like [this]). I knew the media was pathetic but to bring up saunas is pushing it really far (although I know that certainly there has been worse and there will be worse still)… To think that saunas are somehow relevant to spying and Kaspersky is really bizarre. Yes, Kaspersky has some issues (who doesn’t? Yes, yes, I’m sure Americans don’t[1]…ironically showing blindness to certain things which is an issue itself), but if Bloomberg was to be honest, many countries force corporations (under their laws) to do certain things and those things include questionable things (including espionage). On the other hand, Kaspersky making statements that the Internet should have passports, that is definitely an ‘issue’ but it is also irrelevant. In any case, without actual proof it is also - besides throwing in ad hominem - libel. If they don’t have proof they could (maybe they do; maybe I need to check their story in full but it would be one of the more uncommon cases) state it as a belief/opinion/unverified/etc. and not fact[2].

[1] I know not all are this way but many do think they don’t have issues/are best/etc. More correctly would be ‘humans’ (and all across the world) but I am trying to keep the same parties involved and Bloomberg is, as far as I know… an American organisation.
[2] Employees can become disgruntled. Given this, the fact the ex-employees are refusing to give much information, makes their claims less valid (many people will say pretty much anything at times, even if not intentionally wrong/incorrect/hurtful; how do we know these employees don’t fit here?). No matter how good or bad a company is, there’s always going to be those who think otherwise.

Most people, no matter what security product they use by default, periodically scan with other vendors products, often several different vendors products. Kind of a “Trust but Verify” approach in order to not be overly reliant on a specific vendor.

I doubt many companies operating in Russia would choose to openly accuse/expose illegal activities that their government may be engaged in, given the consequences that could arise as a result; internal litigation and/or less orthodox repercussions from the FSB. “Don’t bite the hand that feeds you”, isn’t the right phrase but the principal isn’t far off. The Russian government doesn’t like criticism from within.

Whilst not much evidence has been offered up by Bloomberg, they do cite these allegations from internal sources who are, as per the above point, rightly scared to reveal their names and/or data that could be linked back to them.

I’ve always thought Bloomberg was a fairly reputable media company and would be surprised if they published a story like this without basis. Protecting their sources is completely understandable, even if that does make the evidence for their claims rather lacking and ambiguous.

You’re right - they do have that risk. You’d also be right that it is good on Bloomberg to not reveal their information if requested. It isn’t even criticism from within - Russia doesn’t like criticism of any kind, inside or out. I think Russia isn’t the only place that has this kind of problem.

But it doesn’t really help matters to say something like “Well, we know they’re up to no good - we won’t elaborate on this behaviour but it is still true and we have sources to back these claims. Who are the sources? We can’t really say - they asked to remain anonymous.” - they might as well not write up the hearsay (which might not be what it is exactly to some but very similar then). Regardless of how you word it, it is unhelpful at best to make statements like that. If you are to make an accusation then at least give your evidence (even if fabricated/etc., at least give something so that you have some credibility). As for them being afraid to reveal contact information, you can twist that in more than one way, including at least one way where the accuser looks far less credible - the reason they’re unwilling to give their names is they know they’re not telling the full story (and it could also be that they fear backlash from their employer, or that they’re hiding some other information). It might as well be speculation in this case because so little information is provided. Speculation is rather like assuming, at least in my mind. Perhaps I’m also assuming - decide as you wish.

In the end, they may very well be credible. The claims, however, at least as they are given, are not credible. I think that is the difference and that is where the problem is.

Edit: also, even if the claims are legit, you should consider that Russia might otherwise force Kaspersky to do this, in which case it isn’t even up to the employees. It is, after all, under their laws.

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!